Veeam Backup for GCP备份与恢复Google Compute Engine与Cloud SQL

作者:MeshCloud脉时云公有云架构师杨美志

一. 引言

随着公有云的使用越来越被广大企业接受,公有云的服务市场也在日渐壮大。云上数据安全成了企业最关注的问题,数据是企业十分重要的资产,企业数据直接影响了企业的营收能力乃至其向全球扩张的商业模式的构建。在如今复杂互联网环境下,给出海企业的数据安全造成了严重威胁。公有云厂商能够保证存储数据的基础设施的可用性和可靠性。根据Google Cloud责任共担模型提到的一样,企业有责任保护自己的数据安全,包括数据备份问题。如何防止内部人员误操作、硬件故障、黑客攻击等手段造成数据丢失,是目前企业运维人员面临的一大难题。因此有一个可靠的备份容灾系统对于企业来说至关重要!

Veeam针对Google Cloud提供原生数据保护工具和专门构建的第三方云原生灾备解决方案(Veeam Backup for Google Cloud,简称VBG),Veeam Backup for Google Cloud提供了Google原生的全自动备份和恢复,可轻松保护和管理Google Cloud数据。利用本机快照、备份到对象存储类和灵活的恢复选项,可以消除所有Google云数据的数据丢失风险,同时节省大量的费用。Veeam Backup for Google Cloud同时还集成了Veeam的其它云备份解决方案,可在不同公有云厂商之间进行数据恢复与数据迁移,下文将详细介绍使用VBG备份及恢复Compute Engine与Cloud SQL。

二. 规划准备与系统架构图

1.需要开放端口

设备协议端口描述
Backup ServerTCP443访问 Backup Server Web UI所需端口
TCP13140Backup Server运行的REST API服务进行通信
HTTP80获取Backup Server操作系统安全更新
TCP587发送电子邮件通知

2.服务账户权限

用于执行Veeam Backup for Google Cloud数据保护和灾难恢复操作的Google Cloud Identity and Access Management (IAM) 角色必须有权访问 Google Cloud 服务和资源。

  • Default Permissions
  • Repository Permissions
  • Worker Permissions
  • Snapshot Permissions
  • Backup Permissions
  • Restore Permissions

3.Google Cloud API

备份设备和工作实例必须具有对以下 Google Cloud API 的出站互联网访问权限

  • Compute Engine API
  • Service Usage API
  • IAM Service Account Credentials API
  • Identity and Access Management (IAM) API
  • Cloud Resource Manager API
  • Cloud Billing API
  • Pub/Sub API
  • Cloud Key Management Service API
  • Cloud SQL Admin API
  • Cloud Logging API

4.系统架构图

三. VBG部署与初始化

3.1 VBG实例部署

安装适用于Google Cloud的Veeam Backup,需要使用具有项目editor的Google账户登录Google Cloud Marketplace,在Google Cloud Marketplace首页搜索“Veeam Backup for Google Cloud”,点击Veeam Backup for Google Cloud进入管理控制台

点击“启动”按钮开始部署VBG实例

设置实例名称、地域、可用区、实例类型、磁盘、网络、防火墙等信息

基本属性配置完成之后点击“部署”开始部署VBG实例

VBR实例部署完成,点击OPEN VEEAM BACKUP WEB INTERFACE 跳转至Web UI控制台

接受并同意相关协议

输入实例ID,实例ID可在computer engine控制台查看

首次登陆需要设置一个新用户并初始化用户密码

用户创建完成后跳转到登录页面

3.2 初始化VBG

3.2.1 添加Google Cloud项目

在VBG Web UI管理控制台,点击右上角Configuration进入设置

选择Permissions–>Projects,点击Add

输入Google project id、勾选相关权限

自定义一个Account name,点击下方Generate and download script…下载脚本命令

在本地或Google Console打开Cloud Shell,将脚本命令复制到Cloud Shell执行获取project权限

gcloud iam service-accounts create yangmeizhi01 --project=yangmeizhi-veeam-test --display-name=yangmeizhi01 --quiet
gcloud iam service-accounts add-iam-policy-binding yangmeizhi01@yangmeizhi-veeam-test.iam.gserviceaccount.com --project=yangmeizhi-veeam-test --member=serviceAccount:veeam-1658740842-sa@fluid-advantage-356905.iam.gserviceaccount.com --role=roles/iam.serviceAccountTokenCreator --condition=None --quiet
gcloud iam roles create Veeam.VB.Backup_5977261342819868319 --project=yangmeizhi-veeam-test --quiet
gcloud iam roles update Veeam.VB.Backup_5977261342819868319 --project=yangmeizhi-veeam-test --permissions='compute.addresses.list,compute.regions.list,compute.disks.list,compute.disks.createSnapshot,compute.disks.get,compute.instances.get,compute.instances.list,compute.snapshots.create,compute.snapshots.delete,compute.snapshots.get,compute.snapshots.list,compute.snapshots.getIamPolicy,compute.snapshots.setIamPolicy,compute.snapshots.setLabels,compute.subnetworks.list,compute.routes.list,compute.machineTypes.get,compute.zones.list,compute.globalOperations.list,compute.globalOperations.get,compute.zoneOperations.get,compute.regionOperations.get,compute.projects.get,compute.regions.get,compute.networks.list,compute.firewalls.list,resourcemanager.projects.get,resourcemanager.projects.getIamPolicy,logging.sinks.create,logging.sinks.delete,logging.sinks.get,logging.sinks.list,logging.sinks.update,pubsub.subscriptions.create,pubsub.subscriptions.delete,pubsub.subscriptions.get,pubsub.subscriptions.list,pubsub.subscriptions.consume,pubsub.topics.attachSubscription,pubsub.topics.create,pubsub.topics.delete,pubsub.topics.detachSubscription,pubsub.topics.get,pubsub.topics.getIamPolicy,pubsub.topics.list,pubsub.topics.setIamPolicy,pubsub.topics.update,cloudkms.keyRings.list,cloudkms.cryptoKeys.list,cloudkms.cryptoKeys.setIamPolicy,cloudkms.cryptoKeys.getIamPolicy,serviceusage.services.list' --quiet
gcloud iam roles create Veeam.VB.Snapshot_5977261342819868319 --project=yangmeizhi-veeam-test --quiet
gcloud iam roles update Veeam.VB.Snapshot_5977261342819868319 --project=yangmeizhi-veeam-test --permissions='compute.addresses.list,compute.firewalls.list,compute.regions.list,compute.disks.list,compute.disks.createSnapshot,compute.disks.get,compute.instances.get,compute.instances.list,compute.networks.list,compute.projects.get,compute.snapshots.create,compute.snapshots.delete,compute.snapshots.get,compute.snapshots.list,compute.subnetworks.list,compute.routes.list,compute.zones.list,compute.globalOperations.list,compute.globalOperations.get,compute.zoneOperations.get,compute.regionOperations.get,resourcemanager.projects.get,compute.snapshots.setLabels,logging.sinks.create,logging.sinks.delete,logging.sinks.get,logging.sinks.list,logging.sinks.update,pubsub.subscriptions.create,pubsub.subscriptions.delete,pubsub.subscriptions.get,pubsub.subscriptions.list,pubsub.subscriptions.consume,pubsub.topics.attachSubscription,pubsub.topics.create,pubsub.topics.delete,pubsub.topics.detachSubscription,pubsub.topics.get,pubsub.topics.getIamPolicy,pubsub.topics.list,pubsub.topics.setIamPolicy,pubsub.topics.update,cloudkms.keyRings.list,cloudkms.cryptoKeys.list,serviceusage.services.list' --quiet
gcloud iam roles create Veeam.VB.Repository_5977261342819868319 --project=yangmeizhi-veeam-test --quiet
gcloud iam roles update Veeam.VB.Repository_5977261342819868319 --project=yangmeizhi-veeam-test --permissions='storage.buckets.list,storage.buckets.get,storage.objects.create,storage.objects.delete,storage.objects.list,storage.objects.get,storage.hmacKeys.create,storage.hmacKeys.list,storage.hmacKeys.get,resourcemanager.projects.get,serviceusage.services.list,storage.buckets.getIamPolicy,storage.buckets.setIamPolicy,compute.projects.get' --quiet
gcloud iam roles create Veeam.VB.Restore_5977261342819868319 --project=yangmeizhi-veeam-test --quiet
gcloud iam roles update Veeam.VB.Restore_5977261342819868319 --project=yangmeizhi-veeam-test --permissions='compute.addresses.list,compute.disks.create,compute.disks.get,compute.disks.setLabels,compute.disks.use,compute.disks.delete,compute.disks.useReadOnly,compute.firewalls.list,compute.globalOperations.list,compute.globalOperations.get,compute.instances.create,compute.instances.delete,compute.instances.get,compute.instances.setLabels,compute.instances.setMachineResources,compute.instances.setMetadata,compute.instances.setMinCpuPlatform,compute.instances.setScheduling,compute.instances.setServiceAccount,compute.instances.setTags,compute.instances.start,compute.instances.stop,compute.instances.updateDisplayDevice,compute.instances.updateNetworkInterface,compute.instances.setDeletionProtection,compute.machineTypes.list,compute.networks.list,compute.projects.get,compute.regionOperations.get,compute.regions.get,compute.regions.list,compute.snapshots.create,compute.snapshots.delete,compute.snapshots.get,compute.snapshots.getIamPolicy,compute.snapshots.list,compute.snapshots.setLabels,compute.snapshots.useReadOnly,compute.subnetworks.list,compute.subnetworks.use,compute.subnetworks.useExternalIp,compute.zoneOperations.get,compute.zones.get,compute.zones.list,iam.serviceAccounts.actAs,iam.serviceAccounts.list,resourcemanager.projects.get,cloudkms.cryptoKeys.list,cloudkms.keyRings.list,compute.addresses.use,compute.addresses.useInternal,compute.disks.list,compute.instances.list,compute.routes.list,cloudkms.cryptoKeys.setIamPolicy,cloudkms.cryptoKeys.getIamPolicy,serviceusage.services.list' --quiet
gcloud iam roles create Veeam.VB.Worker_5977261342819868319 --project=yangmeizhi-veeam-test --quiet
gcloud iam roles update Veeam.VB.Worker_5977261342819868319 --project=yangmeizhi-veeam-test --permissions='compute.regions.list,compute.disks.list,compute.instances.get,compute.instances.list,compute.snapshots.get,compute.snapshots.list,compute.zones.get,compute.zones.list,compute.globalOperations.get,compute.zoneOperations.get,compute.regionOperations.get,resourcemanager.projects.get,compute.projects.get,compute.firewalls.list,compute.snapshots.getIamPolicy,compute.networks.list,compute.subnetworks.list,resourcemanager.projects.getIamPolicy,iam.serviceAccounts.actAs,compute.disks.create,compute.disks.createSnapshot,compute.disks.delete,compute.disks.setLabels,compute.instances.attachDisk,compute.instances.create,compute.instances.delete,compute.instances.detachDisk,compute.instances.setMetadata,compute.instances.setServiceAccount,compute.instances.setLabels,compute.instances.setTags,compute.routes.list,compute.regions.get,compute.snapshots.create,compute.snapshots.setLabels,compute.snapshots.setIamPolicy,compute.snapshots.delete,pubsub.subscriptions.consume,pubsub.subscriptions.create,pubsub.subscriptions.delete,pubsub.subscriptions.list,pubsub.subscriptions.get,logging.sinks.get,logging.sinks.delete,logging.sinks.list,pubsub.topics.attachSubscription,pubsub.topics.detachSubscription,pubsub.topics.create,pubsub.topics.delete,pubsub.topics.list,pubsub.topics.get,pubsub.topics.publish,compute.machineTypes.get,compute.machineTypes.list,compute.subnetworks.get,compute.subnetworks.use,compute.subnetworks.useExternalIp,compute.disks.use,serviceusage.services.list' --quiet
gcloud iam roles create Veeam.VB.SqlSnapshot_5977261342819868319 --project=yangmeizhi-veeam-test --quiet
gcloud iam roles update Veeam.VB.SqlSnapshot_5977261342819868319 --project=yangmeizhi-veeam-test --permissions='cloudsql.backupRuns.create,cloudsql.backupRuns.delete,cloudsql.backupRuns.get,cloudsql.backupRuns.list,cloudsql.databases.list,cloudsql.instances.get,cloudsql.instances.list,compute.regions.list,compute.zones.list,logging.sinks.create,logging.sinks.delete,logging.sinks.get,logging.sinks.get,logging.sinks.list,pubsub.subscriptions.consume,pubsub.subscriptions.create,pubsub.subscriptions.delete,pubsub.subscriptions.get,pubsub.subscriptions.list,pubsub.subscriptions.list,pubsub.topics.attachSubscription,pubsub.topics.create,pubsub.topics.delete,pubsub.topics.detachSubscription,pubsub.topics.get,pubsub.topics.getIamPolicy,pubsub.topics.list,pubsub.topics.setIamPolicy,serviceusage.services.list,compute.projects.get' --quiet
gcloud iam roles create Veeam.VB.SqlRestore_5977261342819868319 --project=yangmeizhi-veeam-test --quiet
gcloud iam roles update Veeam.VB.SqlRestore_5977261342819868319 --project=yangmeizhi-veeam-test --permissions='cloudkms.cryptoKeys.getIamPolicy,cloudkms.cryptoKeys.list,cloudkms.cryptoKeys.setIamPolicy,cloudkms.keyRings.list,cloudsql.backupRuns.get,cloudsql.instances.create,cloudsql.instances.get,cloudsql.instances.import,cloudsql.instances.restoreBackup,compute.firewalls.list,compute.networks.list,compute.projects.get,compute.regions.list,compute.routes.list,compute.subnetworks.list,compute.zones.list,cloudsql.backupRuns.list,cloudsql.databases.create,cloudsql.databases.list,cloudsql.instances.list,cloudsql.users.create,cloudsql.users.list,pubsub.subscriptions.consume,pubsub.subscriptions.create,pubsub.subscriptions.delete,pubsub.subscriptions.get,pubsub.subscriptions.list,pubsub.topics.attachSubscription,pubsub.topics.create,pubsub.topics.delete,pubsub.topics.detachSubscription,pubsub.topics.get,pubsub.topics.list,serviceusage.services.list,cloudsql.backupRuns.create,cloudsql.backupRuns.delete,cloudsql.databases.get' --quiet
gcloud iam roles create Veeam.VB.SqlBackup_5977261342819868319 --project=yangmeizhi-veeam-test --quiet
gcloud iam roles update Veeam.VB.SqlBackup_5977261342819868319 --project=yangmeizhi-veeam-test --permissions='cloudsql.backupRuns.create,cloudsql.backupRuns.delete,cloudsql.backupRuns.get,cloudsql.backupRuns.list,cloudsql.databases.list,cloudsql.instances.export,cloudsql.instances.get,cloudsql.instances.list,cloudsql.instances.listServerCas,cloudsql.instances.update,cloudsql.users.list,compute.regions.list,compute.zones.list,logging.sinks.create,logging.sinks.delete,logging.sinks.get,logging.sinks.get,logging.sinks.list,pubsub.subscriptions.consume,pubsub.subscriptions.create,pubsub.subscriptions.delete,pubsub.subscriptions.get,pubsub.subscriptions.list,pubsub.subscriptions.list,pubsub.topics.attachSubscription,pubsub.topics.create,pubsub.topics.delete,pubsub.topics.detachSubscription,pubsub.topics.get,pubsub.topics.getIamPolicy,pubsub.topics.list,pubsub.topics.setIamPolicy,serviceusage.services.list,compute.projects.get' --quiet
gcloud iam roles create Veeam.VB.SqlStaging_5977261342819868319 --project=yangmeizhi-veeam-test --quiet
gcloud iam roles update Veeam.VB.SqlStaging_5977261342819868319 --project=yangmeizhi-veeam-test --permissions='cloudsql.databases.list,cloudsql.instances.create,cloudsql.instances.delete,cloudsql.instances.export,cloudsql.instances.get,cloudsql.instances.list,cloudsql.instances.listServerCas,cloudsql.users.create,cloudsql.users.list,compute.projects.get' --quiet
gcloud iam roles create Veeam.VB.GrantAccess_5977261342819868319 --project=yangmeizhi-veeam-test --quiet
gcloud iam roles update Veeam.VB.GrantAccess_5977261342819868319 --project=yangmeizhi-veeam-test --permissions='resourcemanager.projects.get,resourcemanager.projects.getIamPolicy,resourcemanager.projects.setIamPolicy,compute.projects.get' --quiet
gcloud iam roles create Veeam.VB.SqlAccessBackup_5977261342819868319 --project=yangmeizhi-veeam-test --quiet
gcloud iam roles update Veeam.VB.SqlAccessBackup_5977261342819868319 --project=yangmeizhi-veeam-test --permissions='cloudsql.instances.get,cloudsql.instances.restoreBackup' --quiet
gcloud projects add-iam-policy-binding yangmeizhi-veeam-test --member=serviceAccount:yangmeizhi01@yangmeizhi-veeam-test.iam.gserviceaccount.com --role=projects/yangmeizhi-veeam-test/roles/Veeam.VB.Backup_5977261342819868319 --condition=None --quiet
gcloud projects add-iam-policy-binding yangmeizhi-veeam-test --member=serviceAccount:yangmeizhi01@yangmeizhi-veeam-test.iam.gserviceaccount.com --role=projects/yangmeizhi-veeam-test/roles/Veeam.VB.Snapshot_5977261342819868319 --condition=None --quiet
gcloud projects add-iam-policy-binding yangmeizhi-veeam-test --member=serviceAccount:yangmeizhi01@yangmeizhi-veeam-test.iam.gserviceaccount.com --role=projects/yangmeizhi-veeam-test/roles/Veeam.VB.Repository_5977261342819868319 --condition=None --quiet
gcloud projects add-iam-policy-binding yangmeizhi-veeam-test --member=serviceAccount:yangmeizhi01@yangmeizhi-veeam-test.iam.gserviceaccount.com --role=projects/yangmeizhi-veeam-test/roles/Veeam.VB.Restore_5977261342819868319 --condition=None --quiet
gcloud projects add-iam-policy-binding yangmeizhi-veeam-test --member=serviceAccount:yangmeizhi01@yangmeizhi-veeam-test.iam.gserviceaccount.com --role=projects/yangmeizhi-veeam-test/roles/Veeam.VB.Worker_5977261342819868319 --condition=None --quiet
gcloud projects add-iam-policy-binding yangmeizhi-veeam-test --member=serviceAccount:yangmeizhi01@yangmeizhi-veeam-test.iam.gserviceaccount.com --role=projects/yangmeizhi-veeam-test/roles/Veeam.VB.SqlSnapshot_5977261342819868319 --condition=None --quiet
gcloud projects add-iam-policy-binding yangmeizhi-veeam-test --member=serviceAccount:yangmeizhi01@yangmeizhi-veeam-test.iam.gserviceaccount.com --role=projects/yangmeizhi-veeam-test/roles/Veeam.VB.SqlRestore_5977261342819868319 --condition=None --quiet
gcloud projects add-iam-policy-binding yangmeizhi-veeam-test --member=serviceAccount:yangmeizhi01@yangmeizhi-veeam-test.iam.gserviceaccount.com --role=projects/yangmeizhi-veeam-test/roles/Veeam.VB.SqlBackup_5977261342819868319 --condition=None --quiet
gcloud projects add-iam-policy-binding yangmeizhi-veeam-test --member=serviceAccount:yangmeizhi01@yangmeizhi-veeam-test.iam.gserviceaccount.com --role=projects/yangmeizhi-veeam-test/roles/Veeam.VB.SqlStaging_5977261342819868319 --condition=None --quiet
gcloud projects add-iam-policy-binding yangmeizhi-veeam-test --member=serviceAccount:yangmeizhi01@yangmeizhi-veeam-test.iam.gserviceaccount.com --role=projects/yangmeizhi-veeam-test/roles/Veeam.VB.GrantAccess_5977261342819868319 --condition="^:^expression=api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['projects/yangmeizhi-veeam-test/roles/Veeam.VB.SqlAccessBackup_5977261342819868319']):title=veeam-roles-only:description=Allow grant and removal of Veeam roles only" --quiet

执行完成返回控制台,点击Check Permissions校验权限是否通过,可观察到所有权限已经通过。

点击Finish完成新项目的添加

3.2.2 配置存储库

存储库是存储备份文件的位置,VeeamBackup for Google Cloud使用的存储库是Google Cloud Storage,通过在存储桶下面创建文件夹存储备份的数据,在部署VeeamBackup for Google Cloud会自动创建一个GCS存储桶,也可自己手动创建。

选择Repositories,点击Add

输入Cloud Storage存储桶的名称

选择项目,同时生成GCS的HMAC密钥,需要记住HMAC密钥

选择GCS存储桶,可使用现有文件夹作为存储库,也可新建文件夹作为存储库

选择是否开启加密功能

存储库摘要信息,点击Finish开始创建存储库

3.2.3 配置worker

Worker 实例是基于 Linux 的临时 VM 实例,负责与备份存储库进行交互。Veeam Backup for Google Cloud 在备份、存档或恢复操作期间自动部署工作器实例,并在操作完成后立即将其删除。

3.2.3.1 配置worker网络

进入VBG Web UI控制台,点击右上角Configuration,选择workers–>Network配置网络信息

选择可用区

选择VPC网络、子网与防火墙规则

Network摘要信息,点击Finish完成worker的网络配置

3.2.3.2 配置worker模版

进入VBG Web UI控制台,点击右上角Configuration,选择workers–>Profile

选择worker地域与可用区

选择worker模版,使用默认模版即可

worker模板摘要信息,点击Finish完成worker模版创建

四. 备份Compute Engine与Cloud SQL

4.1 创建备份策略及执行备份作业

在VBG Web UI控制台,找到Policy选项,其中VM创建Commute Engine备份策略,Cloud SQL创建数据库备份策略,选择VM,点击Add创建Compute Engine备份策略

填写策略名称

选择计划备份VM所属项目项目、地域及所需要备份的目标VM

将Enable Backup开关设置为On,选择备份存储库等相关信息

指定策略调度

启用标签分配,此处默认即可

策略常规配置

备份成本评估

备份策略摘要,点击Finish即可完成备份策略的创建

在Policies可查看到所有备份策略,选中备份策略点击start即可开始备份VM

创建Cloud SQL备份策略步骤与创建VM大致一样,此处不在进行演示

4.2 灾难恢复演练

4.2.1 恢复Google Compute Engine

在Google Console控制台删除受保护VM实例

登录VBG Web UI控制台,跳转至Protected Data,在VM下方点击Restore–>Instance Restore启动数据还原配置向导

选择还原点,默认选择最新备份还原点

选择还原模式,可恢复到原始位置与自定义位置

指定还原原因,因此处为实验环境可忽略直接下一步

恢复摘要,选中“恢复完成之后打开VM电源”,点击Finish进行VM恢复

在会话日志查看恢复进度

VM实例还原成功

在Google Cloud Console控制台可观察到恢复的实例已经在运行

4.2.2 恢复Cloud SQL数据库

删除测试Cloud SQL数据库jumpserver

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| jumpserver         |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

MySQL [(none)]> drop database jumpserver;
Query OK, 132 rows affected (1.87 sec)

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
4 rows in set (0.00 sec)

进入VBG Web UI控制台,选择Protected Data–>Cloud SQL,选中完成备份的实例,点击Restore–>Database Restore

选择需要还原的Cloud SQL数据库

选择恢复到原始位置

填写恢复原因,可忽略直接下一步

恢复摘要,点击Finish开始恢复Cloud SQL数据库

在会话日志查看恢复进度

Cloud SQL数据库恢复成功

五. 总结

Veeam Backup for Google Cloud 是为Google Cloud 环境的保护和灾难恢复一个良好的解决方案。借助 Veeam Backup for Google Cloud,用户可以创建 VM 实例的映像级备份和云原生快照;创建 Cloud SQL 实例的映像级备份和云原生快照;将备份数据保存在经济高效的长期 Google Cloud 存储桶中;还原整个 Cloud SQL 实例、特定 Cloud SQL 数据库、整个Compute Engine虚拟机实例、单个永久性磁盘以及系统文件和文件夹。同时可以与Veeam Backup & Replication集成从而实现跨云的数据恢复即迁移,是云原生时代一个优秀的云灾备产品。

发表评论

您的电子邮箱地址不会被公开。